It checks consistency of the zip64 end of central directory
record, and preventing obfuscation of the payload, i.e., you
scanning for malicious content in a ZIP file with one ZIP parser
(let's say a Rust one) then unpack it in production with another
(e.g., the Python one) and get malicious content that the other
parser did not see (CVE-2025-8291, bsc#1251305)
- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check
the version and checksum values against the
Modules/expat/refresh.sh script, leading to the values
becoming out-of-date during routine updates.
- gh-132006: XCframeworks now include privacy manifests to
satisfy Apple App Store submission requirements.
- gh-138171: A script for building an iOS XCframework was
added. As part of this change, the top level iOS folder has
been moved to be a subdirectory of the Apple folder.
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- gh-137484: Have Tools/wasm/wasi put the build Python into a
directory named after the build triple instead of “build”.
- gh-137025: The wasm_build.py script has been removed.
Tools/wasm/emscripten and Tools/wasm/wasi should be used
instead, as described in the Dev Guide.
- gh-137248: Add a --logdir option to Tools/wasm/wasi for
specifying where to write log files.
- gh-137243: Have Tools/wasm/wasi detect a WASI SDK install
in /opt when it was directly extracted from a release
tarball.
- gh-136251: Fixes and usability improvements for
Tools/wasm/emscripten/web_example
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- gh-135379: The cases generator no longer accepts type
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=109
Python 3.14 is the latest stable release of the Python
programming language, with a mix of changes to the language,
the implementation, and the standard library. The biggest
changes include template string literals, deferred evaluation
of annotations, and support for subinterpreters in the standard
library.
The library changes include significantly improved capabilities
for introspection in asyncio, support for Zstandard via a new
compression.zstd module, syntax highlighting in the REPL, as
well as the usual deprecations and removals, and improvements
in user-friendliness and correctness.
- Interpreter improvements:
- PEP 649 and PEP 749: Deferred evaluation of annotations
- PEP 734: Multiple interpreters in the standard library
- PEP 750: Template strings
- PEP 758: Allow except and except* expressions without
brackets
- PEP 765: Control flow in finally blocks
- PEP 768: Safe external debugger interface for CPython
- A new type of interpreter
- Free-threaded mode improvements
- Improved error messages
- Incremental garbage collection
- Significant improvements in the standard library:
- PEP 784: Zstandard support in the standard library
- Asyncio introspection capabilities
- Concurrent safe warnings control
- Syntax highlighting in the default interactive shell, and
color output in several standard library CLIs
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=104
- Tools/Demos
- gh-137873: The iOS test runner has been simplified,
resolving some issues that have been observed using
the runner in GitHub Actions and Azure Pipelines test
environments.
- Security
- gh-135661: Fix CDATA section parsing in
html.parser.HTMLParser according to the HTML5 standard: ]
]> and ]] > no longer end the CDATA section. Add private
method _set_support_cdata() which can be used to specify
how to parse <[CDATA[ — as a CDATA section in foreign
content (SVG or MathML) or as a bogus comment in the HTML
namespace.
- Library
- gh-138998: Update bundled libexpat to 2.7.2
- gh-118803: Add back collections.abc.ByteString and
typing.ByteString. Both had been removed in prior alpha,
beta and release candidates for Python 3.14, but their
removal has now been postponed to Python 3.17.
- gh-137226: Fix typing.get_type_hints() calls on generic
typing.TypedDict classes defined with string annotations.
- gh-138804: Raise TypeError instead of AttributeError when
an argument of incorrect type is passed to shlex.quote().
This restores the behavior of the function prior to 3.14.
- gh-128636: Fix crash in PyREPL when os.environ is
overwritten with an invalid value for mac
- gh-138514: Raise ValueError when a multi-character string
is passed to the echo_char parameter of getpass.getpass().
Patch by Benjamin Johnson.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=99
- Library
- gh-137426: Remove the code deprecation of
importlib.abc.ResourceLoader. It is documented as
deprecated, but left for backwards compatibility with other
classes in importlib.abc.
- gh-137282: Fix tab completion and dir() on
concurrent.futures.
- gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2
- gh-137226: Fix behavior of
annotationlib.ForwardRef.evaluate() when the type_params
parameter is passed and the name of a type param is also
present in an enclosing scope.
- gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.
- gh-137059: Fix handling of file URLs with a
Windows drive letter in the URL authority by
urllib.request.url2pathname(). This fixes a regression in
earlier pre-releases of Python 3.14.
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
- gh-135228: When dataclasses replaces a class with a slotted
dataclass, the original class can now be garbage collected
again. Earlier changes in Python 3.14 caused this class to
always remain in existence together with the replacement
class synthesized by dataclasses.
- Documentation
- gh-136155: We are now checking for fatal errors in EPUB
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=91
- Tools/Demos
- gh-136251: Fixes and usability improvements for
Tools/wasm/emscripten/web_example
- Security
- gh-135661: Fix parsing attributes with whitespaces around
the = separator in html.parser.HTMLParser according to the
HTML5 standard.
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- Library
- gh-136170: Removed the unreleased
zipfile.ZipFile.data_offset property added in 3.14.0a7 as
it wasn’t fully clear which behavior it should have in some
situations so the result was not always what a user might
expect.
- gh-124621: pyrepl now works in Emscripten.
- gh-136874: Discard URL query and fragment in
urllib.request.url2pathname().
- gh-130645: Enable color help by default in argparse.
- gh-136549: Fix signature of threading.excepthook().
- gh-136523: Fix wave.Wave_write emitting an unraisable when
open raises.
- gh-52876: Add missing keepends (default True)
parameter to codecs.StreamReaderWriter.readline() and
codecs.StreamReaderWriter.readlines().
- gh-136470: Correct
concurrent.futures.InterpreterPoolExecutor’s default thread
name.
- gh-136476: Fix a bug that was causing the
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=86
- Tools/Demos
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- gh-133600: Backport file reorganization for .
Tools/wasm/wasi This should make backporting future code .
changes easier. It also simplifies instructions around how.
to do WASI builds in the devguide .
- Tests
- gh-135966: The iOS testbed now handles the app_packages
folder as a site directory.
- gh-135494: Fix regrtest to support excluding tests from
--pgo tests. Patch by Victor Stinner.
- Security
- gh-136053: marshal: fix a possible crash when deserializing
slice objects.
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
- Whitespaces no longer accepted between </ and the tag
name. E.g. </ script> does not end the script section.
- Vertical tabulation (\v) and non-ASCII whitespaces no
longer recognized as whitespaces. The only whitespaces
are \t\n\r\f and space.
- Null character (U+0000) no longer ends the tag name.
- Attributes and slashes after the tag name in end tags are
now ignored, instead of terminating after the first > in
quoted attribute value. E.g. </script/foo=">"/>.
- Multiple slashes and whitespaces between the last
attribute and closing > are now ignored in both start and
end tags. E.g. <a foo=bar/ //>.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=80
- Tests
- gh-132815: Fix test__opcode: add JUMP_BACKWARD to
specialization stats.
- gh-135489: Show verbose output for failing tests during PGO
profiling step with –enable-optimizations.
- gh-135120: Add test.support.subTests().
- Security
- gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored.
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and
CVE 2025-4517.
- Library
- gh-65697: configparser’s error message when attempting to
write an invalid key is now more helpful.
- gh-135497: Fix os.getlogin() failing for longer usernames
on BSD-based platforms.
- gh-135429: Fix the argument mismatch in _lsprof for
PY_THROW event.
- gh-135368: Fix unittest.mock.Mock generation on
dataclasses.dataclass() objects. Now all special attributes
are set as it was before gh-124429.
- gh-133967: Do not normalize locale name ‘C.UTF-8’ to
‘en_US.UTF-8’.
- gh-135321: Raise a correct exception for values greater
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=73
- Tools/Demos
- gh-134215: REPL import autocomplete only suggests private
modules when explicitly specified.
- Tests
- gh-133744: Fix multiprocessing interrupt test. Add an event
to synchronize the parent process with the child process:
wait until the child process starts sleeping. Patch by
Victor Stinner.
- gh-133682: Fixed test case
test.test_annotationlib.TestStringFormat.test_displays
which ensures proper handling of complex data structures
(lists, sets, dictionaries, and tuples) in string
annotations.
- gh-133639: Fix
TestPyReplAutoindent.test_auto_indent_default() doesn’t run
input_code.
- Security
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-132710: If possible, ensure that uuid.getnode()
returns the same result even across different
processes. Previously, the result was constant only within
the same process. Patch by Bénédikt Tran.
- gh-80334: multiprocessing.freeze_support() now checks for
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=71
- Tools/Demos
- gh-130453: Allow passing multiple keyword arguments with
the same function name in pygettext.
- gh-130195: Add warning messages when pygettext
unimplemented -a/--extract-all option is called.
- Tests
- gh-133131: The iOS testbed will now select the most
recently released “SE-class” device for testing if a device
isn’t explicitly specified.
- gh-91048: Add ability to externally inspect all pending
asyncio tasks, even if no task is currently entered on the
event loop.
- gh-109981: The test helper that counts the list of open
file descriptors now uses the optimised /dev/fd approach on
all Apple platforms, not just macOS. This avoids crashes
caused by guarded file descriptors.
- gh-132678: Add --prioritize to -m test. This option allows
the user to specify which selected tests should execute
first, even if the order is otherwise randomized. This is
particularly useful for tests that run the longest.
- gh-131290: Tests in Lib/test can now be correctly executed
as standalone scripts.
- Security
- gh-115322: The underlying extension modules behind
readline:, subprocess, and ctypes now raise audit events
on previously uncovered code paths that could lead to file
system access related to C function calling and external
binary execution. The ctypes.call_function audit hook has
also been fixed to use an unsigned value for its function
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=53
- Tools/Demos
- gh-129248: The iOS test runner now strips the log prefix
from each line output by the test suite.
- gh-104400: Fix several bugs in extraction by switching to
an AST parser in pygettext.
- Tests
- gh-129386: Add test.support.reset_code, which can be used
to reset various bytecode-level optimizations and local
instrumentation for a function.
- gh-128474: Disable test_embed test cases that segfault on
BOLT instrument binaries. The tests are only disabled when
BOLT is enabled.
- gh-128003: Add an option --parallel-threads=N to the
regression test runner that runs individual tests in
multiple threads in parallel in order to find concurrency
bugs. Note that most of the test suite is not yet reviewed
for thread-safety or annotated with @thread_unsafe when
necessary.
- Security
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2.
- gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=38
- Tools/Demos
- gh-128152: Fix a bug where Argument Clinic’s C
pre-processor parser tried to parse pre-processor
directives inside C comments. Patch by Erlend Aasland.
- Tests
- gh-128690: Temporarily do not use test_embed in PGO profile
builds until the problem with test_init_pyvenv_cfg failing
in some configurations is resolved.
- Library
- gh-128731: Fix ResourceWarning in
urllib.robotparser.RobotFileParser.read().
- gh-71339: Add new assertion methods for unittest:
assertHasAttr(), assertNotHasAttr(), assertIsSubclass(),
assertNotIsSubclass() assertStartsWith(),
assertNotStartsWith(), assertEndsWith() and
assertNotEndsWith().
- gh-118761: Improve import time of pickle by 25% by removing
an unnecessary regular expression. As such, re is no more
implicitly available as pickle.re. Patch by Bénédikt Tran.
- gh-128661: Fixes typing.evaluate_forward_ref() not showing
deprecation when type_params arg is not passed.
- gh-128562: Fix possible conflicts in generated tkinter
widget names if the widget class name ends with a digit.
- gh-128559: Improved import time of asyncio.
- gh-128552: Fix cyclic garbage introduced
by asyncio.loop.create_task() and
asyncio.TaskGroup.create_task() holding a reference to the
created task if it is eager.
- gh-128340: Add internal thread safe handle to be used
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=32
- Tools/Demos
- gh-126700: Add support for multi-argument gettext functions
in pygettext.py.
- Tests
- gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.
- gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.
- gh-126925: iOS test results are now streamed during test
execution, and the deprecated xcresulttool is no longer
used.
- gh-127076: Disable strace based system call tests when
LD_PRELOAD is set.
- gh-127076: Filter out memory-related mmap, munmap, and
mprotect calls from file-related ones when testing io
behavior using strace.
- Security
- gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines().
- Library
- gh-126907: Fix crash when using atexit concurrently on the
free-threaded build.
- gh-127870: Detect recursive calls in ctypes _as_parameter_
handling. Patch by Victor Stinner.
- gh-127732: The platform module now correctly detects
Windows Server 2025.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=28
- Tools/Demos
- gh-126807: Fix extraction warnings in pygettext.py caused
by mistaking function definitions for function calls.
- gh-126167: The iOS testbed was modified so that it can be
used by third-party projects for testing purposes.
- Tests
- gh-126909: Fix test_os extended attribute tests to work on
filesystems with 1 KiB xattr size limit.
- gh-125730: Change make test to not run GUI tests by
default. Use make ci to run tests with GUI tests instead.
- gh-124295: Add translation tests to the argparse module.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- Library
- gh-85957: Add missing MIME types for images with RFCs: emf,
fits, g3fax, jp2, jpm, jpx, t38, tiff-fx and wmf. Patch by
Hugo van Kemenade.
- gh-126920: Fix the prefix and exec_prefix keys from
sysconfig.get_config_vars() incorrectly having the same
value as sys.base_prefix and sys.base_exec_prefix,
respectively, inside virtual environments. They now
accurately reflect sys.prefix and sys.exec_prefix.
- gh-67877: Fix memory leaks when regular expression matching
terminates abruptly, either because of a signal or because
memory allocation fails.
- gh-125063: marshal now supports slice objects. The marshal
format version was increased to 5.
- gh-126789: Fixed the values of sysconfig.get_config_vars(),
sysconfig.get_paths(), and their siblings when the site
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python314?expand=0&rev=23
